Disabling Insecure Services

You should disable non-secure services if you are not using them. For example: TFTP and FTP are not secure protocols. These services are typically used to transfer firmware or software images to and from network devices and Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend that you use secure protocols (such as SFTP or SCP) for such services.

To disable FTP and TFTP services:

Step 1 Log in to Prime Infrastructure with a user ID with administrator privileges.

Disabling Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We recommend that you keep this access disabled, and enable it only when required. To disable root access, run the command
root_disable
from the command line (see Connecting Via CLI).

Step 2 Disable the web root account by entering the following command:

PIServer/admin#
ncs webroot disable

Prime Infrastructure disables the web root account.

Step 3 Disable the root shell account by entering the following command at the prompt:

PIServer/admin#
root_disable

Prime Infrastructure will prompt you for the root shell account password. Enter it to complete disabling of the root shell account.

Using SNMPv3 Instead of SNMPv2

SNMPv3 is a higher-security protocol than SNMPv2. You can enhance the security of communications between your network devices and the Prime Infrastructure server by configuring the managed devices so that management takes place using SNMPv3 instead of SNMPv2.

You can choose to enable SNMPv3 when adding new devices, when importing devices in bulk, or as part of device discovery. See Related Topics for instruction on how to perform each task.

Authenticating With External AAA

User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running a secure authentication protocol such as RADIUS or TACACS+.

You can configure Prime Infrastructure to authenticate users using external AAA servers. You will need to access the Administration > Users > Users, Roles & AAA page to set up external authentication via the Prime Infrastructure graphic user interface (GUI). You can also set up external authentication via the command line interface (CLI). See Related Topics for instructions on how to set up AAA using each method.

Enabling NTP Update Authentication

Network Time Protocol (NTP) version 4, which authenticates server date and time updates, is an important way to harden server security. Note that you can configure a maximum of three NTP servers with Prime Infrastructure.

To set up authenticated NTP updates:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI.Be sure to enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to setup an external NTPv4 server:

PIServer/admin/terminal# ntp server serverIP userID plain password

Where:

serverIP is the IP address of the authenticating NTPv4 server you want to use.

userID is the md5 key id of the NTPv4 server.

password is the corresponding plain-text md5 password for the NTPv4 server.

For example:
ntp server 10.81.254.131 20 plain MyPassword

Step 3 To ensure that NTP authentication is working correctly, test it by executing the following commands:

To check the NTP update details: sh run

To check NTP sync details: sh ntp

Enabling Certificate-Based OCSP Authentication

You can further enhance the security of Prime Infrastructure’s interaction with its web clients by setting up certificate-based client authentication using the Online Certificate Status Protocol (OCSP).

With this form of authentication, Prime Infrastructure validates the web client’s certificate and its revocation status before permitting the user to access the login page. Checking the revocation status ensures that the issuing Certificate Authority (CA) has not already revoked the certificate.

Prime Infrastructure uses OCSP to check the certificate’s revocation status. OCSP is a real-time certificate status check mechanism, which is faster and more reliable than other methods. New, internet standard protocol, not proprietary, most browsers support it, widely accepted, and DOD-compliant.

Before You Begin

You will want to ensure that:

Prime Infrastructure is configured to authorize user access via an external AAA server using a secure protocol, such as RADIUS or TACACS+. The US Department of Defense and other security agencies recommend doing so as a way to ensure secure authentication. See “Authenticating With External AAA” in Related Topics for more information. This permits two-factor authentication: certificate authentication takes place separately from user ID and password authentication.

You have set up a repository to store certificates. There are very few restrictions on how you do this. The repository can be located on storage media local to the Prime Infrastructure server or on a remote host. If it is remote, it can be located on a dedicated server you set up or on a shared certificate server used throughout your organization. Be sure that any remote repository you use is accessible from the Prime Infrastructure server via a supported protocol (NFS, FTP, or SFTP).

You know the name of the certificate repository, the name of the folder within the repository where certificate files are stored, and the name and password of a user with read/write access to that repository and folder.

The certificate files exist in the certificate repository.

Your organization’s DNS servers are able to resolve the URLs of the OCSP responders maintained by the CA who issued your certificates. These OCSP responder URLs will be embedded in the certificate files (such as “OCSP.Responder.Service”). IP addresses are not embedded in the certificate files, so these URLs must be resolvable by DNS.

After You Finish

Once you have enabled this form of authentication, every client web browser used to access Prime Infrastructure must import the client certificates. See “Importing OCSP-Verified Certificates Into Web Clients” in Related Topics for more information.

Step 1 Log in to Prime Infrastructure using the command line, as explained in “Connecting Via CLI” in Related Topics. Be sure to enter “configure terminal” mode.

Step 2 Run the following commands in the order given to create an alias for the certificate repository and configure Prime Infrastructure to access that alias:

PIServer/admin(config)#
repository
CertRepoName

PIServer/admin(config-repository) #
url
proto
://
CAPath

PIServer/admin(config-repository)#
user
username
password
type
pword

Where:

CertRepoName
is the name of the certificate repository (for example:
MyCertRepo
)

proto
is the name of the protocol used to access the repository (that is:
NFS
,
FTP
, or
SFTP
).

CAPath
is the complete URL and path to the location where the certificates are stored..

username
is the name of the user who will be accessing the certificates in the repository. This must be an existing user already given permission to access
CAPath
.

type
is the password encryption type (either
plain
for plain text, or
hash
for an encrypted password).

pword
is the corresponding password for the user specified in
username
(in plain text or encrypted form, depending on the value of
type).

Step 3 Run the following commands to verify that the certificates are available at the path on the certificate repository:

PIServer/admin(config-repository)#
exit

PIServer/admin(config)#
exit

PIServer/admin#
show repository
CertRepoName

The last command will return a list of the certificates stored in the repository. The certificates you want should be in the list. For example, if you have more than one certificate file, you might see a listing like this:

certnew_latest.cer

certnew_sub_ca1.cer

Step 4 Run the following command to install the certificates into the Prime Infrastructure keystore repository, creating an alias for each file (if you have more than one certificate file, you will need to run this comamnd more than once):

Importing Client Certificates Into Web Browsers

Users accessing Prime Infrastructure servers with certificate authentication must import client certificates into their browsers in order to authenticate. Although the process is similar across browsers, the actual details vary with the browser. The following procedure assumes that your users are using a Prime Infrastructure compatible version of Firefox.

Before You Begin

You must ensure that the user importing the client certificates has:

Downloaded a copy of the certificate files to a local storage resource on the client machine

If the certificate file is encrypted: The password with which the certificate files were encrypted.

Step 1 Launch Firefox and enter the following URL in the location bar:
about:preferences#advanced
.

Setting Up SSL Certification

The Secure Sockets Layer (SSL) Certification is used to ensure secure transactions between a web server and the browsers. Installing the certificates allows your web browser to trust the identity and provide secure communications which are authenticated by a certificate signing authority (CSA).

These certificates are used to validate the identity of the server or website and are used to generate the encryption key used in the SSL. This encryption protects the information being passed between the server and the client.

Setting Up SSL Client Certification

To set up the SSL
client
certificate authentication, follow the steps below. These steps use the US Department of Defense (DoD) as an example of a Certificate Signing Authority (CSA), but you may use any CSA that authenticates SSL certificates.

Note that access to the keytool utility, available in JDK, is required in this method of creating SSL certificates. Keytool is a command-line tool used to manage keystores and the certificates.

In case you received both root CA certificate and the sub-ordinate certificate, you have to bundle them together using the below command:

% cat DoD-sub.crt > ca-bundle.crt

% cat DoD-rootCA.crt >> ca-bundle.crt

Step 6 To set up SSL Client Authentication using these certificates, enable SSL Client Authentication in Apache in the ssl.conf file located in <NCS_Home>/webnms/apache/ssl/backup/ folder.

SSLCACertificationPath conf/ssl.crt

SSLCACertificationFile conf/ssl.crt/ca-bundle.crt

SSLVerifyClient require

SSLVerifyDepth 2

SSLVerifyDepth depends on the level of Certificate Chain. In case you have only 1 root CA certificate, this should be set to 1. In case you have a certificate chain (root CA and subordinate CA), this should be set to 2.

Enabling OCSP Settings on the Prime Infrastructure Server

Online Certificate Status Protocol (OCSP) enables certificate-based authentication for web clients using OCSP responders. Typically, the OCSP responder’s URL is read from the certificate’s Authority Information Access (AIA). As a failover mechanism, you can configure the same URL on the Prime Infrastructure server as well

To set up a custom URL of an OCSP responder, follow the steps below.

Step 1 Log in to the Prime Infrastructure server using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to enable client certificate authentication:

PIServer/admin#
ocsp responder custom enable

Step 3 At the prompt, enter the following command to set the custom OCSP responder URL:

PIServer/admin#
ocsp responder set url
Responder#URL

Where:

Responder#
is the number of the OCSP responder you want to define (e.g., 1 or 2).

URL
is the URL of the OCSP responder, as taken from the client CA certificate.

Note that there should be no space between the
Responder#
and
URL
values
.

Step 4 To delete an existing custom OCSP responder defined on the Prime Infrastructure server, use the following command:

PIServer/admin#
ocsp responder clear url
Responder#

If you do not already know the number of the OCSP responder you want to delete, use the
show security-status
command to view the OCSP responders currently configured on the server. For details, see Checking On Server Security Status.

Setting Up Local Password Policies

If you are authenticating users locally, using Prime Infrastructure’s own internal authentication, you can enhance your system’s security by enforcing rules for strong password selection.

Step 3 Select the check boxes next to the password policies you want to enforce, including:

The minimum number of characters passwords must contain.

No use of the username or “cisco” as a password (or common permutations of these).

No use of “public” in root passwords.

No more than three consecutive repetitions of any password character.

Passwords must contain at least one character from three of the following character classes: upper case, lower case, digit, and special character.

Whether the password must contain only ASCII characters.

Minimum elapsed number of days before a password can be reused.

Password expiration period.

Advance warnings for password expirations.

If you enable any of the following password policies, you can also specify:

The minimum password length, in number of characters.

The minimum elapsed time between password re-uses.

The password expiry period.

The number of days in advance to start warning users about future password expiration.

Step 4 Click Save.

Disabling Individual TCP/UDP Ports

The following table lists the TCP and UDP ports Prime Infrastructure uses, the names of the services communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a port and service without affecting Prime Infrastructure’s functionality.

Table B-1 Prime Infrastructure TCP/UDP Ports

Port

Service Name

Purpose

Safe?

21/tcp

FTP

File transfer between devices and server

Y

22/tcp

SSHD

Used by SCP, SFTP, and SSH connections to and from the system

N

69/udp

TFTP

File transfer between devices and the server

Y

162/udp

SNMP-TRAP

To receive SNMP Traps

N

443/tcp

HTTPS

Primary Web Interface to the product

N

514/udp

SYSLOG

To receive Syslog messages

N

1522/tcp

Oracle

Oracle/JDBC Database connections: These include both internal server connections and for connections with the High Availability peer server.

N

8082/tcp

HTTPS

Health Monitoring

N

8087/tcp

HTTPS

Software updates on HA Secondary Systems

N

9991/udp

NETFLOW

To receive Netflow streams (enabled if Assurance license installed)

N

61617/tcp

JMS (over SSL)

For interaction with remote Plug&Play Gateway server

Y

Checking On Server Security Status

Prime Infrastructure administrators can connect to the server via CLI and use the
show security-status
command to display the server’s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information. For example:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.